Beruflich Dokumente
Kultur Dokumente
Security Audit
LECTURE 1
IT Audit Overview
Dr Kamarudin Saadan
©For internal use only
Main topics
Introduction
The impact of IT on organization
The work of an IT Auditor
IT Audit skills
Professional IT Auditor organizations and
certifications
Structuring IT audit
Introduction
IT auditor in demand
– Why?
The work of an IT Auditor is interesting and
challenging
– Why?
Impact of IT on Organization
IT creates opportunities
Opportunities may bring risks
IT Governance
IT Governance
DEFINITION
…the process for controlling an
organization’s IT resources, including
information and communication systems,
and technology.
OBJECTIVES
…using IT to promote an organization’s
objectives and enable business processes
and to manage and control IT related
risks.
CobiT’s IT Governance
Management Guideline
Identifies critical success factors,
key goal and performance indicators,
and an IT governance maturity
model.
IT governance framework begins
with setting IT objectives and
measures and compares performance
against them
The IT Governance Framework
PROVIDE
DIRECTION
COMPARE
and maximizes benefits effective)
IT resources are used Decrease cost (make
responsibly enterprise efficient)
IT-related risks managed Manage risks (security
appropriately reliability and
compliance)
MEASURE
PERFORMANCE
IT and Transaction (Tx)
Processing
The IS collects transaction data
The IS turns data into information
Computerized Tx systems increase some
risks and decrease others
What do IT auditors do?
Evaluate controls over specific applications
Provides assurance over specific processes
Provide third-party assurance
Do penetrating tests
Support financial audit
Works on many kind of audit
engagementssearching for IT-based fraud
Financial vs IT Audits
IT auditors may work on financial audit
engagements
IT auditors may work on every step of the
financial audit engagement
Standards, such as SAS No. 94, guide the work of
IT auditors on financial audit engagements
IT audit work on financial audit engagements is
likely to increase as internal control evaluation
becomes more important
IT Audit Skills
College education – IS, computer science,
accounting
Certifications – CPA, CFE, CIA, CISA,
CISSP, and special technical certifications
Technical IT audit skills – specialized
technologies
General personal and business skills
Professional Groups and
Certifications
ISACA – CISA
IIA – CIA
ACFE – CFE
AICPA – CPA and CITP
How to Structure an IT Audit
AICPA Standards and Guidelines – GAAS,
SAS, and SSAE
IFAC Guidelines – harmonized or common
international accounting standards and
guidelines
ISACA standards, guidelines, and
procedures – includes CobiT and audit
standards
An Overview of the Course
Section I – an introduction to IT audit, the legal
and ethical environment of the IT audit,
introduction to risks and controls
Section II – risks over specific processes and
technologies – deployment of IS, operation of IS,
network systems, and e-business systems
Section III – how to do an It audit – use of
CAATTs and a step-by-step IT audit
IT Audit Glossary
ACL tutorial